Robin’s Newsletter #201

24 April 2022. Volume 5, Issue 17
Okta breach affected two customers. Russian invasion leaves it 'fair game' for cyberattacks. Java’s ‘psychic signatures’ and conceptualising cybercrimes.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

It’s a (slightly) shorter edition this week because I’m on vacation.

This week

Okta breach affected two customers; lasted 25 minutes

Okta has admitted it handled comms around their recent breach poorly (vol. 5, iss. 13, vol. 5, iss. 14]( Now more details are rising — including the classic ‘legacy’ infrastructure: it’s always the bit that bites you — and the scale of the incident, affecting two customers and lasting a total of 25 minutes, is much smaller than originally feared.

Two things here:

  1. Okta suffered huge reputation damage from this ‘small’ incident. People are accepting that nothing is 100% secure as there are plenty of uncontrollable elements, however, the response and way it was handled was within the control of the company, and that had an outsize impact on perception.
  2. Lapsus$ made a lot of hay out of this. For groups like this, it’s important to remind ourselves that they are, in part, motivated by attention (similar to hacktivists). That’s a type of threat actor that hasn’t been particularly front of mind for many in recent years and it’s important to remind ourselves of, and consider motives.

Of the two customers affected, Okta’s Chief Security Officer David Bradbury said that “the threat actor was unable to successfully perform any configuration changes, MFA or password resets, or customer support ‘impersonation’ events.”

Okta CEO Todd McKinnon described the events as “transformative,” something echoed by quite a few clients I’ve worked with on high profile incidents. These things are hugely ‘emotional events’ for companies, their staff and especially leaders.

The transparency on lessons learned is welcome and should serve to remind other cyber security vendors: it can happen to you; you must have a plan.,, @toddmckinnon

Interesting stats

Mandiant’s 2022 M-Trends report came out this week covering the 15 months to 31st Dec 2021…

416 days median global dwell time in 2011, down to just 21 days days in the last reporting period, with 50% increase in time taken to detect incidents internally (from 12 days to 18 days) and 62% decrease when incidents are detected and reported to a victim by an external party.

Tabular results of global median dwell time from 2011-2021, showing an overall decline in that decade from 416 days to 21 days (Source: Mandiant)

Exploits and supply chain compromise up, phishing down as initial infection vectors:

37% (2020: 29%) were exploits, 17% (2020: 1%) came via supply chain compromise, and 11% (2020: 23%) started with phishing, while 14% were handoffs from previous compromised or malware infections, and 9% involved stolen credentials.

As data is sourced from Mandiant investigations and the basis of these investigations isn’t provided (e.g. X investigations across Y regions/sectors/etc) it’s difficult to know if there’s any bias in some of the data (particularly sectoral and geographic).

However, there’s lots of good info in the back half (don’t try to read it all at once!) on tactics, techniques and procedures observed from Mandiant incident response engagements (mapped to MITRE ATT&CK) and deep dive into ransomware groups targeting virtualisation platforms and how China is retooling its cyber-espionage operations.

H/t Rich! (PDF)

Other newsy bits

Russia is ‘fair game’ for cyberattacks

The Intercept’s Micah Lee notes the increasing number of cyber attacks and breaches against Russian organisations following the invasion of Ukraine. It appears that a lot of information is ending up online for journalists and the public to trawl through. I’d be sure that various intelligence agencies are keeping a close eye on the dumps too, which include state oil and gas company Gazprom, Rosatom the Russian nuclear energy agency, and Roskomnadzor the telecommunications regulator (who is also responsible for online censorship).

It’s difficult to tell if this is Ukraine’s “IT Army” (vol. 5, iss. 12) being recruited by Telegram, displaced and angry Ukrainian cybercriminals (who have significant experience and skill, historically working closely with Russian counterparts) or others. What’s clearer is that Russia appears to be ‘fair game’ and that many state organisations suffer from similar weaknesses to Western equivalents.


Java’s ‘psychic signatures’

This is a bad one and if your apps/platform runs on Java 15, 16 (both unsupported), 17 or 18, you need to get patching this quickly: it appears that you can easily spoof certificates and handshakes in Java apps that use Elliptic Curve Digital Signature Algorithm (ECDSA). That typically includes authentication tokens and signed session information, making it possible for an attacker to bypass your authentication checks.

To verify ECDSA signatures you compare two values, the public key used to sign the message and the hash of the message. If values on both sides of the equation were zero, you end up multiplying everything else by zero and getting… zero. That’s why it’s important to check that the values are not zero.

And, well… Java… did not check that.

Neil Madden, a researcher at ForgeRock who discovered the vulnerability, likens it to the ‘psychic paper’ that Dr Who uses in the TV series that makes the reader see whatever the Doctor wants.,

Conceptualising cybercrime

“What is cyber?” The answer depends. A lot. Cyber gets tagged on to lots of stuff (mostly negative; call it digital if it’s positive) and covers a wide range of different issues. For example, as a CISO you’re unlikely to be spending much time worrying about ‘cyber-bullying’ though that can be hugely impactful to an individual.

This looks to be a thought-through model for various definitions, typologies and taxonomies of ‘cyber’ harms. That can be confusing for people and a clear understanding of what the landscape of harm looks like is especially important framing for policymakers.

A chart showing the different aspects of ‘cyber’ harms moving from cyber-dependent and cyber security focussed ‘crimes against or using, the machine’ to cyber-enabled and cyber safety focussed ‘crimes in the machine’ or ‘cyber assisted’ crime. (Source: Phillips, K.; Davidson, J.C.; Farr, R.R.; Burkhardt, C.; Caneppele, S.; Aiken, M.P. Conceptualizing Cybercrime: Definitions, Typologies and Taxonomies. Forensic Sci. 2022)

This is important work because, as the abstract notes ”cybercrime is becoming ever more pervasive,” while there is a “lack of consensus surrounding what constitutes a cybercrime”.

H/t to Simon for this one!

And finally

Two things this week…

What could go wrong?

Cool cyberpunk inspired artwork for different types of threat events mapped to the VERIS framework (used by Verizon in their annual Data Breach Investigation Report).

Check out Erik Remmelzwaal’s GitHub repo below, and h/t Mario for the prompt on Twitter!

SOC.OS acquired by Sophos

Sophos has acquired SOC.OS whose SaaS-based security alert investigation and triage product have a great timeline and cluster interface for helping analysts triage alerts. Huge congratulations to Dave, Craig and the rest of the SOC.OS team (mostly previous BAE Systems colleagues) on this exciting news!,


  Robin's Newsletter - Volume 5

  Russia Ukraine Cyber safety Cyber harms Cybercrime Cyberpunk Java ECDSA